[JavierGarcon]

This vondu keeps coming back but in different forms. I thought I destroyed it but now its back again. Now it saved the sysguard in system and along with that it downloaded a bunch of crap I never seen before. I started to delete some then I ran into your message board. I stoped deleting stuff now and going to hand over the controls to you. everytime I boot up the iexplorer is starting to show up as a systems files (weird huh). The new thing its doing is taking over my Firefox and iexplorer and trying to go to a webpage that both firefox and iexplorer blocks. Files in my taskmanager load up automaticly then the fake antivirus bullcrap pops up aagain. this is getting annoying and my computer is running way slower than before. Scratch last my internet is working way slower than before.

I am getting a 400 gig storage drive in this week so I can transfer over my graphics files.


DDS (Ver_09-05-14.01) - NTFSx86
Run by AgentBlade at 17:40:36.14 on Sun 05/24/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1.#QNAN.1466 [GMT -4:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\AgentBlade\Desktop\gmer.exe
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
C:\Documents and Settings\AgentBlade\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: : {2d041252-fc62-400c-b36a-fde8a9858858} - c:\windows\system32\cprlosm.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: BHO: {bad4551d-9b24-42cb-9bcd-818ca2da7b63} - c:\windows\system32\iehelper.dll
TB: {06E58E5E-F8CB-4049-991E-A41C03BD419E} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: {AE07101B-6902-0272-AF68-0333EA26E113} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 7.0\avp.exe"
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: add to anti-banner - c:\program files\kaspersky lab\kaspersky internet security 7.0\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 7.0\SCIEPlgn.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Trusted Zone: bofa.com\www
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192572311173
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199783217765
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\mi1933~1\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: pbruhciq - cprlosm.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\agentb~1\applic~1\mozilla\firefox\profiles\pzr198nm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: XUL Cache: {1740D64E-4D53-468E-BC63-7DDB18BD05C3} - c:\documents and settings\agentblade\local settings\application data\{1740D64E-4D53-468E-BC63-7DDB18BD05C3}

============= SERVICES / DRIVERS ===============

R0 spbluohp;spbluohp;c:\windows\system32\drivers\spbluohp.sys [2001-8-23 23424]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-6-27 194320]
R2 AVP;Kaspersky Internet Security 7.0;c:\program files\kaspersky lab\kaspersky internet security 7.0\avp.exe [2007-6-28 218376]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-4-11 55152]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-4-4 24344]
S0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-4-28 112144]
S2 fjevhbz;fjevhbz;c:\windows\system32\drivers\plmkvofz.sys --> c:\windows\system32\drivers\plmkvofz.sys [?]
S2 lveqbdjofi;lveqbdjofi;c:\windows\system32\drivers\lrvnvctmyehkgyc.sys [2009-5-20 59008]
S2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-12-18 29181272]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\wintv\HCWTVS~1.EXE [2007-10-27 815104]

=============== Created Last 30 ================

2009-05-20 00:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\94572176
2009-05-20 00:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\14562184
2009-05-10 23:42 <DIR> --d----- c:\documents and settings\agentblade\.smplayer
2009-05-10 23:41 <DIR> --d----- c:\program files\SMPlayer
2009-05-02 13:33 <DIR> --d----- c:\program files\MSECACHE

==================== Find3M ====================

2009-05-24 17:40 102,604 a------- c:\windows\system32\drivers\7c4bc549.sys
2009-05-24 17:05 38,332,704 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-24 17:05 1,300,512 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-05-24 17:05 517,964 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-24 17:05 124,916 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-05-24 16:41 13,824 a------- c:\windows\system32\iehelper.dll
2009-05-20 01:19 213,024 a------- c:\windows\system32\drivers\str.sys
2009-05-20 00:30 59,008 a------- c:\windows\system32\drivers\lrvnvctmyehkgyc.sys
2009-05-20 00:30 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-05-20 00:29 15,000 a------- c:\windows\system32\tya7hfd873f.dll
2009-05-09 08:28 17,408 a------- c:\windows\system32\SYS32DLL.exe
2009-04-22 03:53 1,033,728 a------- c:\windows\explorer.exe
2009-04-18 14:09 137,992 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-04-18 14:08 201,816 a------- c:\windows\system32\PnkBstrB.exe
2009-03-29 21:55 105,984 a------- c:\windows\system32\plgxhec.dll
2009-03-29 00:12 84,992 a--sh--- c:\windows\system32\bamezafu.dll
2009-03-26 16:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 16:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-24 13:18 1,380,403 a------- c:\windows\system32\avgsdk.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-01 22:21 47,360 a------- c:\docume~1\agentb~1\applic~1\pcouffin.sys
2009-02-24 09:52 769,024 a------- c:\windows\pchealth\helpctr\binaries\helpctr.exe
2008-03-01 20:21 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-12-18 21:16 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121820081219\index.dat

============= FINISH: 17:42:07.51 ===============






UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12:00:00 AM
System Uptime: 5/24/2009 5:05:41 PM (0 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | nForce
Processor: AMD Athlon(tm) 64 Processor 3200+ | Socket 939 | 2080/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 128 GiB total, 14.95 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


==== Event Viewer Messages From Past Week ========

 

[amateur]

Hello and welcome to TSF.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Download & save ComboFix to your Desktop but don't run it yet

---------------------------------------------------------------------------------------------

• Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won't work)
• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop
• Click Format and ensure Wordwrap is unchecked.

DDS::
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>

FireFox::
FF - ProfilePath - c:\docume~1\agentb~1\applic~1\mozilla\firefox\profiles\pzr198nm.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4

Save this as "CFScript"

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click here if you you need further information.

Referring to the picture above, drag CFScript.txt into ComboFix.exe

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Click on Yes, to continue scanning for malware.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[amateur]

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/sec...read-before-posting-malware-removal-help.html